To use GoCenter:
export GOPROXY=https://gocenter.io
dfir.software/fslib
January 1st 0001
Last Modified
0
Stars
MIT
License
10
Downloads
ReadMe
Mod File
GoDocs
New
Security
Dependencies (0)
Used By (0)
Metrics
Versions
fslib
A collection of tools and libraries to parse filesystems, archives and other data types.
Installation
go get dfir.software/fslib
Libraries
| Package | Description | GoDoc |
|---|---|---|
| aferotools/copy | Copy functions for afero |  |
| aferotools/zip | Write only zip file systems for afero |  |
| cmd/fs | High level functions and commandline tools |  |
| content | Extract plain text from different file formats |  |
| filesystem | Tests for filesystems |  |
| filetype | Detect filetype of files |  |
| forensicfs | Interface for forensic filesystems |  |
| forensicfs/copy | Copy files from forensic filesystems |  |
Forensic Filesystems
| Package | Description | GoDoc |
|---|---|---|
| fat16 | FAT16 filesystem |  |
| gpt | GPT filesystem |  |
| mbr | MBR filesystem |  |
| ntfs | NTFS filesystem |  |
| osfs | Live OS filesystem |  |
| registryfs | Registry filesystem |  |
| zip | ZIP filesystem |  |
| fallbackfs | Meta filesystem to use another filesystem in case of errors |  |
| recursivefs | Meta filesystem to recursively parse filesystems |  |
| testfs | Test filesystem |  |
Path
- all paths are sparated by forward slashes ‘/’ (yes, even the windows registry)
- forward slashes are escaped as ‘//’ TODO
- all paths need to start with forward slashes ‘/’ (exception: the OSFS accepts relative paths)
Future Work
- Create more commands
carvefor files
- Support more formats
- EXT2, EXT3, EXT4: https://github.com/sleuthkit/sleuthkit/wiki/ExtX, https://digital-forensics.sans.org/blog/2017/06/07/understanding-ext4-part-6-directories
- FAT, exFAT: https://github.com/sleuthkit/sleuthkit/wiki/FAT, https://commons.erau.edu/adfsl/2018/presentations/4/
- HFS: https://github.com/sleuthkit/sleuthkit/wiki/HFS
- ISO 9660: https://github.com/sleuthkit/sleuthkit/wiki/ISO9660
- UFS 1, UFS 2: https://github.com/sleuthkit/sleuthkit/wiki/UFS
- YAFFS2: https://github.com/sleuthkit/sleuthkit/wiki/YAFFS2
- ReFS: (https://github.com/movitto/resilience)
- AFF: https://github.com/aff4/Standard/blob/master/AFF4StandardSpecification-v1.0.pdf
- EWF: https://github.com/libyal/libewf/blob/master/documentation/Expert%20Witness%20Compression%20Format%20(EWF).asciidoc
- Windows Registry: https://github.com/log2timeline/plaso/tree/master/plaso/parsers/winreg_plugins
- vmdk
- E01; https://github.com/sydp/goewF
- aff: https://github.com/Velocidex/c-aff4
- OCR: https://github.com/otiai10/gosseract
- zip, tar, rar: https://github.com/mholt/archiver
- zip, tar, rar, 7z: https://github.com/gen2brain/go-unarr
- Format Collections